dridex | 6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8ac

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/01/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8acN.dll
Size

768KB
MD5

6e095303f4a13d3abc3570c81c9770b0
SHA1

51d72095910bcee40e9ca5d3faedf1b3072b5e0a
SHA256

6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8ac
SHA512

602eccf8d5b16cc78409f912752b594c7d01d0eaa79c7723b491a3c48ee19a5b1885769cecabdced0eccb1f7b045237bd8616b4949e36b09a75616aa0277dc6e
SSDEEP

12288:J4vNC4bAo/u7kwVKwtKFjZMrCx1U6RjUEjkxDekdIppEiQ/W+nxtnP4DqMX9z6Vo:J4ld9/EkwVK+KFjZBxJ4PgGnMsMryIxN

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1160-5-0x0000000002F70000-0x0000000002F71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2808	recdisc.exe
2824	DevicePairingWizard.exe
2292	raserver.exe

Loads dropped DLL 7 IoCs

pid	Process
1160	Process not Found
2808	recdisc.exe
1160	Process not Found
2824	DevicePairingWizard.exe
1160	Process not Found
2292	raserver.exe
1160	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\2xrnddOs\\DEVICE~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found
1160	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2708	1160	Process not Found	30
PID 1160 wrote to memory of 2708	1160	Process not Found	30
PID 1160 wrote to memory of 2708	1160	Process not Found	30
PID 1160 wrote to memory of 2808	1160	Process not Found	31
PID 1160 wrote to memory of 2808	1160	Process not Found	31
PID 1160 wrote to memory of 2808	1160	Process not Found	31
PID 1160 wrote to memory of 2320	1160	Process not Found	32
PID 1160 wrote to memory of 2320	1160	Process not Found	32
PID 1160 wrote to memory of 2320	1160	Process not Found	32
PID 1160 wrote to memory of 2824	1160	Process not Found	33
PID 1160 wrote to memory of 2824	1160	Process not Found	33
PID 1160 wrote to memory of 2824	1160	Process not Found	33
PID 1160 wrote to memory of 2968	1160	Process not Found	34
PID 1160 wrote to memory of 2968	1160	Process not Found	34
PID 1160 wrote to memory of 2968	1160	Process not Found	34
PID 1160 wrote to memory of 2292	1160	Process not Found	35
PID 1160 wrote to memory of 2292	1160	Process not Found	35
PID 1160 wrote to memory of 2292	1160	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8acN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2708

C:\Users\Admin\AppData\Local\1rQPyl\recdisc.exe
C:\Users\Admin\AppData\Local\1rQPyl\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2808

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2320

C:\Users\Admin\AppData\Local\ixJv2o\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\ixJv2o\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2968

C:\Users\Admin\AppData\Local\0CWHXG\raserver.exe
C:\Users\Admin\AppData\Local\0CWHXG\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0CWHXG\WTSAPI32.dll

Filesize
772KB

MD5
3d739f6f0ba86cf5c2bff996142fb30b

SHA1
ad2faa92e809bd7f1ce5511fcb405d5d118a9cf1

SHA256
22916837a68aea45b15cad4a0fd3f77d72c0286801d487ed58cc497c5791a7e4

SHA512
72260b889b82afb54c75b35ad14ccfd1d9a8fbbd44625c21c38d1fc962c0c3c5550ec853d92fbb31707aeb59daf71d15fd4ac21b32d9577faa2e9b217e570af7

Download Submit
C:\Users\Admin\AppData\Local\1rQPyl\SPP.dll

Filesize
772KB

MD5
9b06ea6a2a12a510d79f0fa808fe81c4

SHA1
e582c2b780aad2ac982fabee3389201749a54ec1

SHA256
fd2baf85ab6b7895e23116db6084c27aad7bd47cdbeed881e380406b37141be4

SHA512
b7610a06efa38763d3b8898bae5e4fdb97e9359f5f7115c3a0c60b03120585f363c3873ef8f9341f82ccdad8fac63646bbc12f45069ebc43781678e064d535c3

Download Submit
C:\Users\Admin\AppData\Local\ixJv2o\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
C:\Users\Admin\AppData\Local\ixJv2o\MFC42u.dll

Filesize
796KB

MD5
33443cbe0de4873e4389a70a14b785fc

SHA1
83b543b37e436f14a6b55a84ce3da60987018ff0

SHA256
714496af8c1ec9c8c962d5e7e2d208c9b0cb68786cee04fd0a69720cb33a23d6

SHA512
e22d5b68f9d39de7038fa8722980be9d5140dfb656c220aefb1ed452a75b3a9ad55d200015f76b1bd4c7eab3bb603193ceeb87125a02733e5ef2b0223ec37654

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
c20507c71edfe750fcf7fa67a0d6f2fa

SHA1
479f9a3f24c8f86013d19c3ab45f611c5d3623e0

SHA256
0269f779da9d09ca4dd795094275aaea894dc4369d622b77212424526dcec4b3

SHA512
20f8aaadf3b9765042cf87e213d22cad876ff2960be3246da04955bb06f381eb1a620aaa392e83d9918bf774b32a4e458949935f87362b4c1572bbbb1a31348d

Download Submit
\Users\Admin\AppData\Local\0CWHXG\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\1rQPyl\recdisc.exe

Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
memory/1160-24-0x0000000077121000-0x0000000077122000-memory.dmp

Filesize
4KB

Download
memory/1160-22-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-97-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1160-25-0x0000000077280000-0x0000000077282000-memory.dmp

Filesize
8KB

Download
memory/1160-23-0x0000000002F50000-0x0000000002F57000-memory.dmp

Filesize
28KB

Download
memory/1160-15-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-14-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-13-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-11-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-4-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1160-9-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-34-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-39-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-38-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-44-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-16-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-12-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-8-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-7-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1160-5-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/2292-83-0x000007FEF6910000-0x000007FEF69D1000-memory.dmp

Filesize
772KB

Download
memory/2292-87-0x000007FEF6910000-0x000007FEF69D1000-memory.dmp

Filesize
772KB

Download
memory/2292-86-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2516-10-0x000007FEF6F10000-0x000007FEF6FD0000-memory.dmp

Filesize
768KB

Download
memory/2516-0-0x000007FEF6F10000-0x000007FEF6FD0000-memory.dmp

Filesize
768KB

Download
memory/2516-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2808-57-0x000007FEF6FC0000-0x000007FEF7081000-memory.dmp

Filesize
772KB

Download
memory/2808-54-0x000007FEF6FC0000-0x000007FEF7081000-memory.dmp

Filesize
772KB

Download
memory/2808-53-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2824-68-0x000007FEF6910000-0x000007FEF69D7000-memory.dmp

Filesize
796KB

Download
memory/2824-72-0x000007FEF6910000-0x000007FEF69D7000-memory.dmp

Filesize
796KB

Download
memory/2824-71-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download